Error Generating Root/Host Certificates for OpenVPN (header name contains invalid characters)

Hello Everyone,

First time attempt at getting a VPN up and running on my ipFire. I’ve run into an issue and have come up blank so far in my searches to resolve it (looking for “openvpn header contains invalid characters”).

I am using IPFire 2.25 (x86_64) - Core Update 153 and am in the OpenVPN Generate Root/Host Certificates page.
I have filled out the Organization Name and IPFire’s Hostname, Country, and selected 2048 bits.
When I click on “Generate root/host certificates”, the screen sits for between 15 seconds to 45 seconds before jumping to a “500 Internal Server Error” page. Logging in as root and looking at the /var/log/httpd/error_log, it has the following info:

…+…++++++++
[Wed Feb 24 18:20:37.599030 2021] [http:error] [pid 5572:tid 137622018057792] [client 192.168.44.120:48536] AH02429: Response header name ‘2021-02-24 18’ contains invalid characters, aborting request, referer: https://192.168.44.1:444/

The error log says the header name contains invalid characters…

One similar thread I found mentions some errors like this can be caused by the /tmp directory permissions but mine looks fine as shown below. That thread ended up just having it fix itself which was no help.
drwxrwxrwt 3 root root 4096 Feb 24 18:19 tmp

Any ideas on how to resolve this?

Hi Darren,

Welcome.

I would suggest it maybe something to do with the way you filled out the details on the page or a previous setup, maybe a client?.

Country code two digits. ie mine I use UK.
Organisation name has chars with spaces.
hostname is of the form myhost.domain.co.uk.
and DH of 2048, or 4048.

Try not use any special characters or dashes etc.

Joe.

1 Like

Hi Joe.

I have not used any special characters and have followed the details you listed exactly the same (but with my country instead of the UK) without luck so something else is up.

I see there is a section that allows me to upload a certificate instead. Is there a place with instructions on how to create it on a Linux (Debian) environment and then I could upload it instead?

Hi @kaiyoot

Welcome to the IPFire Community.

I set up IPFire Core Update 153 in my VM testbed and pressed Generate Root/Host Certificates.

I also then got the 500 Internal Server Error page.

I looked at the log and had a similar message to yours but the previous messages seemed to show that all key/cert generation had completed successfully.
I checked the OpenVPN directories and found that all the certificates had actually been generated.
Accessing the IPFire url again brought back the WUI and going to the OpenVPN page you can see all certificates and I was able to start the OpenVPN server.

So it looks like after the certificates have all been generated the return to the previous WUI page is going wrong.

The good news is that your Root/Host Certificate set has actually been generated and you can use it. Just access your IPFire WUI URL and you should hopefully be good to go. Let us know what you find.

There does seem to be a bug in the code for returning from the page which you don’t see if the certificates are in place.
I will check out previous Core Updates to see when this effect comes in and to confirm that it doesn’t occur with an earlier version.

1 Like

Confirmed that the problem does not occur after installing Core Update 152 on my VM testbed. Installed Core Update 153 again and problem re-occurred.

I also installed Core Update 154 and the same effect is still there.

I will raise a bug for this in Bugzilla.

1 Like

Thanks Adolf!

I saw after returning to the OpenVPN menu that I did have a 509x certificate made, but I have no idea if it was valid or not since the whole process took less than 45 seconds while all the documentation I had read said it would take 10+ minutes. I believed “something” had been created but did not trust it enough to move forward with.

Hi Darren,

The time to generate everything depends on the power of your hardware.

My hardware on my VM testbed is an Intel Core i5-8400 @ 2.80GHz and has aes-ni.
With that it is taking about 30 secs to generate the cerst, with a 2048 dh key.

On the wui page you can also click on the i symbol in a blue circle and it will show you the certificate that has been created.

I can also start the OpenVPN server going, I would not expect that to happen if the certs were incomplete.

This has been recorded in IPFire Bugzilla

https://bugzilla.ipfire.org/show_bug.cgi?id=12574

1 Like